Overview | Payments | Operations | Quiz
Below are guidelines for protecting stored cardholder data when handling four kinds of payments. Print this page for future reference.
In Person Payments
In person payments happen when a customer comes into your location to make a payment with a credit or debit card. Currently the University has payment card terminals and virtual terminals available to accept in person payments.
Payment Card Terminals
When using a payment card terminal it is important to check devices on a daily basis to ensure no one has tampered with it. When devices are not in use, they must be stored in a secure, locked location.
Never process payment cards by entering the card numbers directly on your computer’s keyboard. Only the use of approved PCI validated point-to-point encrypted (P2PE) devices are allowed to type in card numbers.
Virtual Terminals
When using a virtual terminal, such as the one pictured below, be sure to lock or log off from workstations, every time you leave, even if you are only taking a quick break to get a cup of coffee.
Virtual terminal software (like the example above) works with the payment card terminal, which is connected to the computer with a USB cable. Payment cards are swiped on the terminal, or if the card number is taken over the phone, you enter the card number using the terminal key pad, never your computer keyboard.
Certify workstations as PCI compliant for payment processing. Management and IT staff should work together to ensure that all the compliance requirements are met and documented.
If you notice strange behavior on your workstation, notify a supervisor or IT staff immediately. Your workstation may not be safe to use.
Device Inventory
Managers are responsible for keeping an accurate inventory of all devices that accept credit card payments in your department. Include each device’s make and model, location (for example, the address of the site or facility where the device is located), and the serial number or other method of unique identification. Be sure to update this list each time you dispose of a device or get a new one.
Device Disposal
Be careful when disposing of old equipment.
- Return old payment card terminals to Treasury Operations for proper disposal.
- “Wipe” or remove all information from hard drives before replacing, selling, or discarding workstations.
- For more information, refer to the policy on the Disposal of Northwestern University Computers.
Payments Made Over the Phone
The use of a virtual terminal with a PCI validated P2PE device is the only permitted method of accepting card payments over the phone.
- When accepting payments over the phone, it is critical that you do not enter in credit card numbers into your computer using your computer keyboard.
- If you are using a “softphone,” you are not allowed to accept card holder information over the phone. This creates a security risk for the University. If you are unsure, please check with your IT team.
- Never write down card holder information for processing at a later time.
Payments Made by Mail, Fax, Email, or Messenger
The University prohibits the acceptance of credit card information by email or instant messenger. As a best practice, the University strongly discourages the acceptance of credit card information via mail or fax.
If legitimate business reasons exist to accept credit card information via mail or fax, first notify Treasury Operations whose staff will work with you to ensure that your procedures are compliant with PCI DSS requirements.
- Fax machines should be placed in a secure location and should be connected to analog phone lines. Multi-function fax machines that connect to the internet or have hard drives that store faxes should not be used to collect cardholder information.
- If your department accepts paper forms with credit card information via fax or mail, take precautions to protect the information.
- Store information in a secure location inaccessible to unauthorized personnel, such as a safe in a locked room.
- Clearly mark documents as containing sensitive information, for example, in a folder labeled “Confidential.”
- After you have processed the payments, immediately shred the paper records using a cross-cut shredder. Do not tear paper by hand or use a straight-cut shredder.
If you receive payment card data electronically from anyone, treat it as a potentially fraudulent transaction.
- Notify a supervisor as soon as possible, and do NOT process the payment.
- Make a note of the source/sender.
- Then, delete the message; do not print, forward, or reply directly to the email.
- Next, notify the sender that the payment cannot be processed and should never be sent via email or instant message.
- Provide the sender with instructions on how to safely provide payment information according to your system.
Online Payments
Online payments, or e-commerce payments, are a very popular way for customers to make donations, purchase tickets and other items.
If a customer calls and wants help with an online shopping page, you cannot go onto that page and complete the transaction for them over the phone. You must use a PCI validated P2PE SRED key device or terminal to take payments over the phone on campus. While online shopping pages are very easy to use, they should never be used by a University staff member on campus.
Internal Software
Many software systems are built to accept payments online. If you are a user of the software system and can access the customer database, be sure to immediately alert your supervisor if you are able to see cardholder information.
Password Management
PCI council requires you to update your software password at least every 90 days. Use complex passwords and never reuse passwords. Also, never use default passwords that sometimes come with software systems initially. Remember to keep your account log-in information secure, and don’t share it with others. If you provide someone else with access to your log-in information and that person violates the PCI DSS requirements or even causes a security breach, you may be held responsible.